我正在尝试在提供某些REST Web服务(Java 8)的Spring MVC应用程序中启用Spring Security。我遇到的问题是我所做的身份验证完全不起作用。我无需任何凭据即可访问我的REST端点。我使用此手册:https://docs.spring.io/spring-security/site/docs/5.0.7.RELEASE/reference/htmlsingle/
包含我的应用程序完整代码的Git存储库位于:https://github.com/SP8EBC/MKS_JG_ONLINE
SecurityConfig.java如下所示
@EnableWebSecurity
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser(Secret.user).password("{noop}" + Secret.password).roles("USER");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
// http
// .csrf()
// .disable()
// .authorizeRequests().antMatchers("/**").permitAll()
// .anyRequest().authenticated()
// .and()
// .httpBasic()
// .realmName("test")
// .authenticationEntryPoint(new CustomAuthenticationEntryPoint());
http.authorizeRequests().anyRequest().denyAll();
}
}
AppConfig.java
@Configuration
@Import(SecurityConfig.class)
@EnableWebMvc
@EnableSpringDataWebSupport
@EnableTransactionManagement
@EnableJpaRepositories(basePackages = {"pl.jeleniagora.mks.dao.repository"})
@ComponentScan("pl.jeleniagora.mks")
public class AppConfig{
// beans and app config
}
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" id="WebApp_ID" version="3.1">
<display-name>MKS_JG_ONLINE</display-name>
<context-param>
<param-name>contextClass</param-name>
<param-value>
org.springframework.web.context.support.AnnotationConfigWebApplicationContext
</param-value>
</context-param>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>pl.jeleniagora.mks.ws.config</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<servlet>
<servlet-name>rest</servlet-name>
<servlet-class>
org.springframework.web.servlet.DispatcherServlet
</servlet-class>
<init-param>
<param-name>contextClass</param-name>
<param-value>
org.springframework.web.context.support.AnnotationConfigWebApplicationContext
</param-value>
</init-param>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>pl.jeleniagora.mks.ws.controllers</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>rest</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file />
</welcome-file-list>
</web-app>
当我以调试模式启动Tomcat 8.5时,我看到SecurityConfig已加载(执行在configure和configureGlobal中的断点处停止)。我在做什么错了?
答案 0 :(得分:0)
Spring Security需要在安全性配置旁边注册一个servlet过滤器。
将以下内容添加到您的web.xml(解释为QGuiApplication::setPalette())中。
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
这将添加过滤器并将应用于所有请求。
但是,当您使用最近的servlet容器时,我建议您抛弃web.xml并创建2个Java类来进行引导。 (另请参见here)。
首先引导您的应用程序
public class MvcWebApplicationInitializer extends AbstractAnnotationConfigDispatcherServletInitializer {
@Override
public Class<?>[] getServletConfigClasses() {
return new Class[] { WebConfig.class }; // or whatever it is called or return `null`
}
@Override
protected Class<?>[] getRootConfigClasses() {
return new Class[] { AppConfig.class };
}
}
然后添加一个引导程序/配置Spring Security过滤器
public class SecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer { }
现在,所有内容均使用Java配置,而无需使用web.xml。